Change cookie session_id (in oxauth) to non-persistent cookie

By: san jong
user05 Feb 2018 at 3:39 a.m. CST

3 Responses

Can "sessionIdLifetime" (Gluu 3.1.1 -> JSON Configuration -> oxauth-config.xml) be set to null so that cookie "session_id" is non-persistent?
Looking at the method org.xdi.oxauth.service.SessionIdService.createSessionIdCookie(...), the cookie expire setting will be skipped if sessionIdLifetime is null, but the UI enforce that "sessionIdLifetime" must be at least 1.
How can I make the cookie "session_id" non-persistent?
Thanks.

Gluu 3.1.1
CentOS 7.0

closed

Answers

By Aliaksandr Samuseu
staff05 Feb 2018 at 2:53 p.m. CST

Hi, San.
>How can I make the cookie "session_id" non-persistent?
Could you elaborate? What do you understand by "non-persistent"? You don't want a user to have session at Gluu, so that they would be asked for credentials each time they are redirected there? Gluu was built around idea of providing SSO experience to users in the first place, so it undermines it's purpose a bit.

By san jong
user05 Feb 2018 at 7:31 p.m. CST

hi,
Thank you for your reply, please allow me to describe in point form:
a. about persistent cookies
---------------------------
I am referring to session vs persistent cookie, as described in this link:
https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117925-technote-csc-00.html
basically session cookies get discarded when browser is closed.
b. Issue that we are facing
---------------------------
On gluu saml server version 2.4.4, user login to our site via saml (gluu server), when browser is closed and launched again to access our site, user login is **required**
now we upgraded to gluu version 3.1.1, user login to our site via saml (gluu server), when browser is closed and launched again to access our site, user login is **granted** by the gluu server automatically (without the need for user to enter password)
we would like to retain the behavior of gluu saml server 2.4.4, because user sometime simply close the browser instead of doing a proper logout, and our site contain sensitive information.
Thanks and appreciate your time and help, cheers.

By Aliaksandr Samuseu
staff14 Feb 2018 at 2:24 p.m. CST

Hi, San.
It turns out you are right and some cookies' expiration method has been changed in 3.x. [Enhancement proposal](https://github.com/GluuFederation/oxAuth/issues/745) was filed for it to be customizable feature, but no ETA or guarantees it will be adopted atm.
Currently, I can only suggest you to try to emulate previous behaviour using some Apache directives you can add to Gluu's virtual host in `/etc/httpd/conf.d/https_gluu.conf`